Security Data Analytics and Reporting: Stakeholders
In the first three parts of this SDAR companion series, you learned about the expectations businesses have of Information Technology and Information Security and the challenges that both of these types of teams typically face in objectively showing the effectiveness of the security investments. SDAR is a solution to this problem.
The first step a business must take when implementing SDAR is to identify who its stakeholders are. Next, the business should analyze their stakeholders’ high level requirements, technology domains and viewpoints. Finally, the business can tie all this together and implement SDAR.
This article will explore the different types of stakeholders an organization can have and their respective responsibilities.
Stakeholders
The primary stakeholders for an SDAR system are internal to the organization and hence, are the main recipient of reports. External stakeholders can obtain assurance from internal stakeholders through alternative means.
Internal stakeholders have a vested interest in ensuring that the organization's computing resources are secure. Typical internal stakeholders include the board of directors; Governance, Risk and Compliance (GRC); business function leaders; security executives; IT executives and senior management; and analysts. Regardless of their role, internal stakeholders’ concerns are the same: to ensure the business is reasonably immune to cybersecurity incidents and remains compliant to cybersecurity regulators. However, the reporting expectations of each of these stakeholders are different. For example, GRC expects ISO27001/ISO27002 compliance, whereas the business function leaders expect assurance in delivering secure business services.
Providing compliance monitoring and reporting is different from providing security assurance to the business’ function leaders. Understanding the core responsibilities of the stakeholders gives cybersecurity teams the required information to create viewpoints, which can then be used in an SDAR system.
Board of Directors
An organization’s board is expected to provide both advice and oversight. In its advisory function, the board works with management to lay out the strategic and operational direction of the organization. In its oversight capacity, the board is expected to monitor management and ensure it is acting in the interests of internal and external stakeholders.
Depending on the nature of the organization, a board’s primary oversight focus varies:
For American publicly listed companies, the focus is on the interests of the shareholders and investors
For European publicly listed companies, the board has to balance the interests of internal stakeholders, external investors and shareholders
For private companies, boards are mostly concerned with the interests of the owner of the organization
For non-profits, boards aim to balance the interests of employees, benefactors and regulators (depending on the industry).
A board’s role also depends on the experience of its members and the participation level of independent directors. Generally, for a private or non-profit organization, the board will be made up mostly of internal senior staff — although sometimes an organizational may opt to recruit outsiders for their expertise.
Regardless, the responsibilities of the board can be categorized under governance, strategy, risk management, talent, compliance, culture and financials. In the past decade, cybersecurity oversight has been absorbed into one of these categories or even become an additional oversight for boards.
Governance, Risk and Compliance (GRC)
An oversight function exists to keep the organization on track. Generally, it is a set of processes and practices that runs across departments and functions. However, in some medium to large organizations, oversight is assigned to a dedicated department that assesses the maturity of the organization’s cybersecurity controls and provides reporting. For most smaller businesses, these tasks are handled by an enterprise risk management team.
Generally GRC is managed by a VP, Chief Continuity Officer or Chief Compliance Officer. Cybersecurity is one of the core interests of this group in recent years, due to an increase in automation and digitization. Generally, cybersecurity maturity is measured using compliance assessments, risk assessments or security performance assessments.
Business Leaders
These are the heads of non-IT business functions within the organization. Although they do not have extensive knowledge of the benefit of cybersecurity to their business functions, they do realize it is one of their organization’s primary concerns and hence, they are typically committed to enforcing security controls within organizational processes and generally making sure that their IT systems are running smoothly.
Security Executives
Security executives include CISOs, CSOs, CCOs and ISOs. All of these executives have been delegated responsibilities from the board of directors to secure the organization’s information technology.
Securing the organization depends on the role of security understood by the board of directors and the composition of the security function within the organization. In many organizations, especially if they are not regulated, security reports to IT and usually lives within the IT department. In this scenario, the IT Executive acts as CISO/CSO for the organization. This is true for most private and not for profit organizations.
However, for public companies, cybersecurity or information security often lives outside of IT, reporting directly to the board of directors and sometimes to the GRC. IT has personnel skilled in security in their team, to execute CISO/CSO IT Security programs or implement security controls. When security reports to the board of directors or GRC, achieving objective security reporting becomes a top priority. SDAR is key in providing the required monitoring, reporting and more.
IT Executive and senior management
As a custodian of business information and business services enabler, IT is responsible for securing information and providing business services securely. Even in IT or technology-focused organizations, there is usually a segregated IT team with the same mandate. Even though the majority of technology leaders are well versed with cybersecurity, the field has become very sophisticated and it has therefore grown beyond what IT can offer.
Hence, information security has become an independent discipline, offering assurance to the business by recommending or mandating security controls to be implemented on the information systems.
IT and Security Analysts
Analysts from IT and security play a critical role in implementing use cases, automating the reporting requirements of Security and IT Executives and maintaining the SDAR solution. Apart from implementing controls and providing dashboards to different stakeholders, analysts can also use SDAR reports to assist them in their daily work. In this case, the information for monitoring and reporting will be from the same source, but interpreted at a much technical level, with the ability to drill down when required.
SDAR analysts include data scientists, systems analysts, infrastructure analysts and security analysts. However, depending on the organization and the metrics that need to be implemented, data scientists can be excluded in the initial stages of implementation.
Conclusion
For security teams to properly implement SDAR, it’s essential for them to understand these the organization’s stakeholders and their responsibilities. In the next article, you will learn about the high level organizational security reporting requirements which will add to your knowledge in building SDAR, tailored to its recipients.